This guide explains how PCI DSS applies to WordPress.com sites and what steps you can take as a site owner to help meet compliance requirements.
In this guide
Have a question?
Ask our AI assistantPCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed by the Payment Card Industry Security Standards Council (PCI SSC) to protect credit card data during and after transactions. If your site accepts credit card payments, these standards apply to you.
For more information about PCI DSS, review the PCI DSS Quick Reference Guide.
The payments infrastructure on WordPress.com—the system we use to process subscription fees and plan purchases—meets PCI DSS requirements.
However, hosting your site on WordPress.com does not automatically make your site PCI compliant.
PCI DSS compliance is assessed per merchant, not per hosting environment. If you accept payments on your site, you are the merchant of record, and your compliance depends on how you implement and manage payments.
If you accept credit card payments on your WordPress.com site, take these steps to help meet PCI DSS requirements:
- Use a PCI-compliant payment gateway that handles card data off-site. The payment blocks built into WordPress.com—including the Payments block, Pay with PayPal block, and Paid Content block—are PCI compliant. They use Stripe or PayPal to process payments directly, so card data never passes through your site. If you run a WooCommerce store, WooPayments is also PCI compliant.
- Never store credit card data like card numbers, CVV codes, or expiration dates on your site.
- Keep your plugins and themes updated to patch security vulnerabilities.
- Use strong passwords and enable two-step authentication.
- Limit administrator access and assign user roles based on what each person needs.
